AES (Advanced Encryption Standard) is a public symmetric encryption algorithm. It has been proven to be secure by mathematicians all over the world for many years. There is no self-respecting math student that has not tried to find a weakness in the algorithm during his studies at least once. A mathematical mistake in the algorithm would allow a conclusion to the plaintext from the encrypted data without trying out all possible combinations.

An algorithm is seen to be secure as long as it’s public and no mathematic mistake has been found.

Without a mathematic mistake in the algorithm the only way to ‘crack’ an AES encrypted data is to try all possible combinations, also known as brute-force attack.

As a very huge number of possible keys exist, the security of an algorithm is based on the time it takes to try all possible keys. A single computer is not able to brute force AES in a reasonable time and even a  quantum computer would not significantly reduce the time to brute force AES. But what about having 100.000 or more computers that all are used to brute force a single encryption key? In this case every computer does not need to brute force all combinations, it only needs to brute force a part of all keys.

So let’s do a theoretical calculation: How long it would take to brute force an AES256 key with lots of computers.

Some organizations may have more than 100.000 computers. As we’re not in control of such a network we may use a botnet for our scenario. The biggest botnet I’ve heard about was in control of ~700.000 computers. But 700.000 are still not enough. Let’s use all devices connected to the internet. According to Cisco, in 2015 there will be about fifteen billion devices connected to the internet and around forty billion devices by 2020. As the amount of devices will grow during our brute force attack we’re using exaggerated 300 billion devices for our calculation.

Now we’ll need to estimate how many keys a device can calculate per second. A realistic number using an up-to-date computer using GPUs instead of CPUs to run a brute force is ~100.000 keys per seconds. As devices will become faster while our brute force attack is running, we’re using again a number that is exaggerated compared to today’s hardware. We’ll use 10 million keys per second for our calculation.


How much power do we get:

300,000,000,000 devices multiplied by 10.000.000 keys/s =

(3E+18) that’s the amount of keys all our devices can calculate every single second. That’s quite a big number. But is this powerful enough to brute force an AES key in a reasonable time?

AES 256 bit is 2256 =                                                                                                                                      115.792.089.237.316. (1,15792E+77)

That’s the amount of possible combinations for an AES 256 key.


Now we’ll need to divide the amount of keys by the calculations we can do per second with our botnet. This will give us the seconds it will take to try all possible combinations:

38.597.363.079.105.300. or 3,85974E+58

Translated to years:

1.254.856.009.386. or 1,25486E+51

We have used exaggerated amount of devices and even exaggerated the calculation power of these devices and we didn’t get even close to a reasonable calculation time. Not even with 300 billion devices!

By the way the sun will be collapse in 4 billion years.

Years till the sun collapse
Years of brute force 1.254.856.009.386.


Overall it’s unlikely that an AES256 key can be brute forced… forever.


Leave a Comment


Jens Sabitzer

About Jens Sabitzer /

Jens is the Director, Pre-Sales Engineering EMEA he is with WinMagic for 4 years, working with various customers across Europe. When he is not living and speaking codes and security, he likes to unwind with football (the European kind of football). Having more than ten years of experience, working with IT security with a focus on cryptography at endpoint security, gateway technologies and hardware related security, he will be a viable voice on SecureSpeak.
Jens Sabitzer